USACM and CRA Express Concerns Over Cybersecurity Legislation

By David Bruggeman

March 23, 2010

Lost within all the health care legislation coverage was the release of a new draft of S.773, the Cybersecurity Act of 2010. The new draft was released a week before the Senate Commerce, Science and Transportation Committee is scheduled to hold a markup of this legislation. The bill had made some waves last summer when originally introduced, in part because of concerns it would give the President broad authority over the Internet. Subsequent drafts addressed those concerns. The bill covers several cybersecurity topics, including the Federal Scholarship for Service Program, adjustments to federal research and development in cybersecurity; it also proposes several new coordinating mechanisms intended to improve sharing of information to support better cybersecurity practices.
USACM, along with the Computing Research Association (CRA), expressed concerns with certain parts of the bill back in January, particularly the provisions about certification of cybersecurity professionals. The latest draft of the bill does not effectively address those concerns, so both USACM and CRA have reemphasized our position in a letter to the Senate Commerce Committee. While there are good provisions in the bill, the problems with the bill need revision. Our major concerns with the bill can be summarized as follows:

The legislation would require a complex, untested, and mandatory certification regime for employers and employees almost immediately after a National Academies study on certification is completed. A more deliberate process, one that carefully considers the findings of the proposed study, and the feasibility and consequences of such a national system, is called for.

The bill emphasizes narrow training in specific systems and principles, such as secure coding. Systems thinking, and holistic systems design, would go beyond treating the symptoms of poor cybersecurity and address the underlying problems.

The provision for a real-time cybersecurity dashboard does not account for the increased exposure to threats and vulnerabilities that would be required for real-time risk and threat assessment.

You can read more of the reasoning behind our concerns about the bill in the letter linked to above.